Advisories » MGASA-2024-0004

Updated dropbear package fixes a security vulnerability

Publication date: 08 Jan 2024
Modification date: 08 Jan 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2023-48795

Description

Parts of the SSH specification are vulnerable to a novel prefix
truncation attack (a.k.a. Terrapin attack), which allows a
man-in-the-middle attacker to strip an arbitrary number of messages
right after the initial key exchange, breaking SSH extension negotiation
(RFC8308) in the process and thus downgrading connection security.
### Mitigations
To mitigate this protocol vulnerability, OpenSSH suggested a so-called
"strict kex" which alters the SSH handshake to ensure a
Man-in-the-Middle attacker cannot introduce unauthenticated messages as
well as convey sequence number manipulation across handshakes. Support
for strict key exchange has been added to a variety of SSH
implementations, including OpenSSH itself, PuTTY, libssh, and more.
This release includes a patch to implement Strict KEX mode.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=32656
• https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48795

SRPMS

9/core

• dropbear-2022.83-2.1.mga9